The Hacker News — Cyber Security, Hacking, Technology News

Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow leak sensitive data stored by the users.

Fingerprint Manager Pro is a utility for Microsoft Windows 7, 8 and 8.1 operating systems that allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials and authenticate site via fingerprint.

In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm.

According to the company, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762, that made the software accessible to all users with local non-administrative access.

"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said in its advisory, giving brief about the vulnerability.

The vulnerability impacts Lenovo ThinkPad, ThinkCentre and ThinkStation laptops, and affects more than two dozen Lenovo ThinkPad models, five ThinkStation Models and eight ThinkCentre models that run Windows 7, 8 and the 8.1 operating systems.

Here's the full list of Lenovo devices compatible with Fingerprint Manager Pro and impacted by the vulnerability:

The popular Chinese computer manufacturer strongly recommends its ThinkPad customers to update their devices to Fingerprint Manager Pro version 8.01.87 or later to address the issue. You can also head on to the company's official website to do so.

Since Microsoft added native fingerprint reader support with Windows 10 operating system, thus eliminating the need for the Fingerprint Manager Pro software, Lenovo laptops running Windows 10 are not impacted by the vulnerability.

MasterCard has unveiled its brand new payment card that has a built-in biometric fingerprint scanner, allowing customers to authorize payments with their fingerprint, without requiring a PIN code or a signature.

The company is already testing the new biometric payment cards, combined with the on-board chips, in South Africa and says it hopes to roll out the new cards to the rest of the world by the end of 2017.

Don't Worry, It Still Supports PIN-based Transactions as Fallback

Wait — If you think that this feature would not allow you to share your card with your child and spouse, don’t worry — Mastercard has a solution for this issue as well.

The company has confirmed that even if the card is configured to expect the fingerprint for authenticating a purchase, but it does still have a PIN as a fallback, in case, for some reason EMV readers fail to read fingerprint or you have yourself handed it to your child for shopping.

Stores & Retailers Don't Need New Hardware

According to Mastercard, the new biometric payment card will not require store owners and businesses to buy any new hardware, like fingerprint scanners, because the sensor in the card reads your fingerprint.

Since both the data and the scanner exist on the same card, the new payment cards work with existing EMV card terminal infrastructure — the standard chip/swipe readers you can find at many stores these days, though old magnetic stripe-only terminals won't be compatible.

But, Banks Need to Adopt New Technology

Before this new cards can be adopted worldwide, your banks or financial institution will have to get on board with the new tech.

If you want the new biometric card, you are currently required to go to your bank branch in order to have your fingers scanned and registered for the new tech. Your fingerprints will then be converted into an encrypted digital template that is stored on the card's EMV chip.

You can save up to two fingerprints, but both would have to be yours — you can not authorise someone else, even from your family, to use your card with their fingers.

How MasterCard Biometric Payment Card Works

Once your templates are saved, your card is ready to be used at compatible terminals across the world.

Merchants don't have to purchase new equipment to accept your fingerprint-enabled payment card but will have to update their machinery in an effort to use the new tech.

Now, while shopping at any store, just place your biometric payment card into a retailer's EMV terminal and then put your finger on the embedded sensor to pay. Your fingerprints will be verified against a template stored on your card to approve your transaction.

Can Fingerprints be Forged? And Other Concerns...

This new card is made in an attempt to make face-to-face payments more convenient and more secure, but this type of biometric verification is useless when it comes to online shopping, and so, does not provide any security over credit card frauds.

"Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security," MasterCard security chief Ajay Bhalla said. "[A fingerprint is] not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected."

But that isn't true.

Fingerprints can be faked, unfortunately, and we have seen previous research in which high-resolution images were used to make fake fingerprints for malicious purpose. So, criminals could put a fake fingerprint on top of their finger to shop from stolen cards.

In addition to biometric cards, MasterCard is also planning to bring contactless payments, which should function similar to mobile payments like Apple Pay where users authenticate themselves via fingerprint while holding their smartphones against the terminal.

Samsung launched its new flagship smartphones, the Galaxy S8 and Galaxy S8 Plus, at its Unpacked 2017 event on Wednesday in New York, with both IRIS and Facial Recognition features, making it easier for users to unlock their smartphone and signing into websites.

All users need to do is simply hold their Galaxy S8 or S8 Plus in front of their eyes or their entire face, as if they were taking a selfie, in order to unlock their phone.

Biometric technology – that involve person's unique identification (ID), such as Retinal, IRIS, Fingerprint or DNA – is now being integrated into more consumer devices for improved security.

But, we have seen a number of hacks involving Biometric security systems in the past, which prove that fingerprint scanner and IRIS scanner are less secure than a passcode and can be fooled by anyone, perhaps, using a photograph of the user.

But how secure is the built-in sensor from Samsung to allow for facial recognition? Not so much...at least for now.

I was wondering if the new facial recognition integrated into Samsung's Galaxy S8 and S8 Plus can be fooled into unlocking a device using a photograph of the device owner, and somebody just made it possible.

Video Demonstration

YouTube vlogger iDeviceHelp posted a video on his channel, in which Marcianotech demonstrated that unlocking a Galaxy S8 or Galaxy S8 Plus is as simple as getting the device owner's picture from Facebook and waving that photo at the phone.

It is unclear, at this moment, as to how precise the photo used in the demonstration should be compared to the real face? Or at what distance the phone was held from the camera? Or what angle they chose during the registration of the recognition?

But what's clear is the fact that a gap remains in the security system of the Samsung's new facial recognition feature.

Moreover, there are reports that Samsung’s Galaxy S8 would include a facial recognition feature for mobile payments in the coming months.

The company has yet to comment on this issue, so we hope that this is because the software is still in a demo state for now, or maybe it is just a bug that Samsung will be addressing before the device ships out on April 21.

Whatever be the case, the Galaxy S8 and S8 Plus do offer other security tools, including IRIS scanning and fingerprint scanning, as well, so you'd rather use these security features to unlock your device, or simply your passcode; instead of the facial recognition, for now.

Until today, there existed such Fingerprint Biometric Readers that required your touch to authenticate yourself as an authorized person.

However, the latest research shows that the future of fingerprint scanners lies in a "no-touch" activity by an individual for gaining access.

Recently, NIST (National Institute of Standards and Technology) has funded a number of startup and companies to develop touchless Fingerprint readers.

The Contactless Biometric Technology requires the person’s presence, but from meters away. As the fingerprint scanners can sense and read your fingerprint information while you are standing few meters away from the scanner.

Contactless Fingerprint Scanners: Fast and Time Saving

The touch-free technology is such where authentication is done with a faster speed, saving time while giving importance to hygiene when compared to conventional biometric devices.

Imagine a situation, where there’s a long queue and to pass through biometric fingerprint sensor, you just need to wave your hands, rather than to touch the sensor. Sounds easy as well as time-saving.

Basically, the objective of this project "is to produce open testing methods, metrics, and artifacts that will support future certification of these types of [biometric] devices for inclusion on Government Certified Products Lists."

The 'fast-capture non-contact' devices as NIST calls it, is undergoing several testings after many prototypes of the sensors developed by various developers were submitted to NIST.

NIST is facing various issues, one of them being the largest challenge that "this new technology produces images that are fundamentally different from existing images," says Michael Garris, NIST biometrics senior scientist.

Research and development (R&D) of such an intense technology would not be a task of one man’s army. Therefore, NIST is funding various organizations for their support in overcoming the challenges they are facing as well as manufacturing of the devices.

NIST has also started a program called Cooperative Research and Development Agreement (CRADA) where organizations and developers can participate to make this technology a reality.

Contactless Fingerprint Scanners: A Weapon for Hackers?

In the past, we have witnessed security breaches involving fingerprint either by:

However, the Contactless Fingerprinting Devices doesn't even require person's touch to steal their fingerprints.

So, this new technology could be an easier way for hackers to capture fingerprints of users in a large scale. They only need to do is – holding a scanner and having a casual walk in a mall or near your victims.

Till now hackers were impersonated simply by lifting prints off the side of a phone and gaining unauthorized access to user's phone and thus data.

However, security researchers have now discovered four new ways to attack Android devices to extract user fingerprints remotely without letting the user know about it.

The attack, which the researchers dubbed the "Fingerprint Sensor Spying attack," could be used by hackers to "remotely harvest fingerprints in a large scale," Yulong Zhang, one of the researchers told ZDNet.

Remotely Hacking Android Fingerprints

FireEye researchers Tao Wei and Yulong Zhang presented their research in a talk titled, Fingerprints on Mobile Devices: Abusing and Leaking, at the Black Hat conference in Las Vegas on Wednesday, where they outlined new ways to attack Android devices in an effort to extract user fingerprints.

The new attack is limited mostly to Android devices with Fingerprint Sensors that helps the user to authenticate their identity by simply touching their phone’s screen, instead of by entering a passcode.

Researchers confirmed the attack on the HTC One Max and Samsung's Galaxy S5, which allowed them to stealthily obtain a fingerprint image from the device because vendors don't lock down fingerprint sensors well enough.

The attack affects mobile phones by major manufacturers including handsets delivered by Samsung, HTC, and Huawei.

Fingerprints vs. Passwords

If we give a thought, then stolen fingerprints would be an even worse scenario than stolen passwords because you can change your passwords when breached but not just replace your fingerprints.

"In this attack, victims' fingerprint data directly fall into attacker's hand. For the rest of the victim's life, the attacker can keep using the fingerprint data to do other malicious things," said Zhang.

The good news is that the issue is relatively easy to fix by adding encryption to the fingerprint data on Android devices, and affected vendors have since released patches after being alerted by the researchers.

Researchers have not shared any "proof-of-concept" detailing exactly how the fingerprint stealing attack can be executed remotely.

Meanwhile Apple users can just sit and relax, as it appears that iPhone and iPad's Touch ID is "quite secure" because it encrypts fingerprint data from the scanner with a crypto key, making it unreadable even if hackers gain access.

Users need to note that Google doesn't yet officially support fingerprints in its mobile operating system, but it will soon do support fingerprint sensors with the Android M update.

If you are one of those using cocaine, law enforcement officials may soon catch you by simply examining your fingerprints.

Scientists have developed a new type of drug test that can tell whether you have taken cocaine by analyzing chemical traces left behind in your fingerprint.

A team of scientists led by the University of Surrey discovered a test that makes use of the Mass spectrometry chemical analysis technique – a method proved more accurate than those currently used saliva, blood or urine samples relied on by authorities.

"When someone has taken cocaine, they excrete traces of benzoylecgonine and methylecgonine as they metabolize the drug, and these chemical indicators are present in fingerprint residue," said Dr. Melanie Bailey, the lead researcher from the University of Surrey.

How is it all done?

A person’s fingerprint sample is treated with a mixture of methanol and water in an attempt to locate the traces. A mass spectrometer is then used to analyze the print by detecting chemicals based on person’s atomic size.

Researchers believe their fingerprint method would be quicker, less invasive, more accurate, more hygienic and much harder to fake than existing tests.

What’s the use?

Drug testing is used routinely by courts, prisons, probation services, and other law enforcement agencies.

However, traditional drug testing methods are time-consuming and have some limitations.

Like if I talk about blood testing, drawing blood from a person’s body takes several minutes as well as requires trained staff. Urine tests also have some privacy concerns.

Moreover, methods like blood, saliva, or urine can be biological hazards, and often require specific storage and proper disposal methods.

However, scientists believe their new fingerprint method could help law enforcement to carry out portable drug tests within the next decade.

The method would also be useful for the workplace testing, where you want high-throughput.

However, before using this new Cocaine test methodology in real life scenarios, scientists need to do extensive testing for reliability.

The Team believes that they would be able to deliver first working unit to medical law enforcement personnel within next few years.

Bailey conducted the study involving scientists from the Netherlands Forensic Institute, King’s College London, the UK’s National Physical Laboratory, and Sheffield Hallam University. The findings of the research were published in the journal Analyst on Friday.

Yes, the next generation of identification for mobile payments and other sensitive online interactions will depend on embeddable, injectable, and ingestible devices, completely replacing passwords with the identification of your body.

KILL ALL PASSWORDS

LeBlanc has recently started giving a presentation titled "Kill all Passwords" at various security and tech conferences in the United States and Europe.

In the presentation "Kill all Passwords," LeBlanc is claiming that the future generation will be represented by "true integration with the human body."

By True integration with the human body, LeBlanc means…

...instead of using "antiquated" external body functions such as Fingerprints and IRIS scans for the identification of online users, internal body functions such as Vein and Heartbeat recognition are used.

And the embedded, injected and ingestible devices will allow these "natural body identification."

These devices include:

Brain implants and attachable computer systems that "put users in charge of their own security," LeBlanc told WSJ.

And when he talk about Ingestible devices, he mean devices that could be powered by your stomach acid, which will run the batteries of those devices, LeBlanc added.

But, Why Killing Passwords?

As we have reported many times, the human nature to keep passwords for their online accounts is easy to guess and break, and according to LeBlanc, it is the right time to replace the traditional username and password verification concepts and methods.

But, when we could use more accurate and secure method, so why sticking to traditional methods?

Identity verification methods, such as thin silicon chips embedded into the skin, could results in an accurate and unique identity of a person, according to LeBlanc.

These chips can have in-built ECG sensors that could help monitor the unique electrical activity of a person’s heart, and communicate via "wireless wearable computer tattoos."

Moreover, ingestible capsules can be used to detect and analyze glucose levels and other unique internal parameters of a person’s body as a method to identify the actual identity of that person.

PAYPAL IS MOVING A STEP FORWARD

PayPal is also working with developers to build these kinds of futuristic ID verification devices, such as heartbeat recognition bands and vein recognition technology.

However, this does not mean PayPal is thinking to adopt these new biometric verification technologies; rather the company just wants to be at the forefront in the research of this field.

As LeBlanc said, "I can’t speculate as to what PayPal will do in the future, but we’re looking at new techniques – we do have fingerprint scanning that is being worked on right now – so we’re definitely looking at the identity field."

A whole lot of things gone in the official kickoff of Mobile World Congress 2015, but a unique phone with a curved screen on both sides of the device acquired everybody’s attention. That’s what unveiled by Samsung late Sunday.

Samsung has officially unveiled its next-generation flagship Smartphones — Samsung Galaxy S6 and Samsung Galaxy S6 Edge. This time, the company didn’t just focus on the specs and features, but also on design — unique and sleek.

1. EYE-CATCHING PREMIUM DESIGN

Both Samsung Galaxy S6 and Samsung Galaxy S6 Edge comes with a sleek glass-and-metal body on the front and back.

On one hand, the Samsung Galaxy S6 Edge has a screen that curves around both sides with a comfortable grip, giving the phone a much smarter look. While, the Samsung Galaxy S6 has the most beautiful appearence to ever exist in the entire Samsung's S series.

The new Galaxy smartphones are made of 'stronger metal' and comes with the toughest glass, Corning Gorilla Glass 4 protection, which makes it harder to bend.

The Gorilla Glass 4 rear panel of the new Samsung Galaxy S6 smartphones comes in attractive colors such as Topaz Blue and White Pearl, which changes appearance based on how much light is reflected off of the glass.

Both Samsung new Galaxy smartphones are lightweight — Samsung Galaxy S6 is 6.8 mm thin and weighs 138g, while the Samsung Galaxy Edge is 7.0mm and weighs 132g. The new Galaxy smartphones' design looks and feels pretty sweet and attractive.

2. SUPER AND WIRELESS CHARGING

The brand new Samsung Galaxy S6 and Galaxy S6 Edge support WPC and PMA wireless charging, so you can now charge the smartphones wirelessly. The new wireless charging technology adopted by both the smartphones set a new industry standard for universal wireless charging.

The Samsung Galaxy S6 has a 2,550mAh battery, while the Samsung Galaxy S6 Edge has a 2,600mAh battery. The battery for both smartphones lasts for up to 12 hours on Wi-Fi and, Samsung claims that they supports incredibly fast wired charging, "faster than any other smartphone in the industry."

Samsung claims you'll be able to get four hours of battery life with just 10 minutes of charging the Samsung Galaxy S6. To get to 100%, the new Galaxy smartphones takes roughly half the time of the iPhone 6 to charge.

3. STANDARD DISPLAY

The Samsung Galaxy S6 Edge is the first smartphone to feature curved display on both sides, which creates a more eye-catching display than we've seen on any other Galaxy S series.

Both Samsung Galaxy S6 and Galaxy S6 Edge are strikingly similar with the same 5.1 Quad HD Super AMOLOED display and 2,560 x 1,440 resolution, which offers a very high pixel density of 577ppi. Only the difference is that Samsung Galaxy S6 Edge sports a 5.1 Quad HD Super AMOLED but with dual edge display.

4. SMARTER AND SPEEDIER CAMERA

The camera is the another real standout feature the new Samsung Galaxy S6 smartphones have. Both the smartphones come with a 16MP OIS rear camera and a 5MP front camera, same as the Galaxy S5, but added Optical Image Stabilisation (OIS) for low-light shots and Auto Real-Time HDR for fast and easy color balance.

The company says the camera will now launch almost immediately in 0.7 seconds just by tapping the home button twice on the front of either phone. Both the back and front-facing cameras offer a high dynamic range (HDR) mode that improves the contrast and low-light performance.

At the launch, Samsung displayed low-light photos taken by the iPhone 6 Plus and the brand new Galaxy S6 side by side on the large screen. The latter won both for photos and video. In a video demo, a couple sitting in front of a fountain at night almost looked like silhouettes on the iPhone 6 video, but were clearly illuminated in the new Samsung Galaxy S6 video.

The Samsung Galaxy S6 and Galaxy S6 Edge are the first in series of Samsung smartphones to offer mobile-payments system. Samsung Pay, a new, easy-to-use mobile payment service, will launch on Galaxy S6 and Galaxy S6 Edge in the United States during the second half of this year.

Protected by Samsung KNOX, fingerprint scanning, and advanced tokenization, Samsung Pay allows both Near Field Communication (NFC) and a new proprietary technology called Magnetic Secure Transmission (MST) payments. This means Samsung Pay will work with potentially many more machines than Apple Pay.

6. FINGERPRINT SENSOR

Like Apple’s fingerprint scanner TouchID, Samsung now offers fingerprint scanner in its new flagship phone, the Samsung Galaxy S6. However, the Galaxy S6 improves more on the feature by replacing the "sliding" of your fingerprint across the button, by just pressing your finger on the screen.

Just you need to do is place your finger on the sensor embedded in the Samsung Galaxy S6's home button and the phone will unlock without the need of any passcode. You can store up to four fingerprints on the device.

As we mentioned above, the Samsung Galaxy S 6's fingerprint sensor will also be a key part of Samsung Pay, Samsung's mobile payments platform that will launch in the United States during the second half of this year.

On the security front, both the devices are built on the upgraded Samsung KNOX, end-to-end secure mobile platform, offering defense-grade features for real-time protection from potential malicious attacks.

Both the smartphones use the 14 nanometer mobile processor with a 64-bit platform.

8. SAMSUNG GALAXY S6 Vs. SAMSUNG GALAXY S5

Samsung Galaxy S5 came with a 2.5-GHz quad-core processor, whereas Samsung Galaxy S6 sports two processors — one quad-core 2.1-GHz and one quad-core 1.5-GHz, which will allow it to handle more applications with greater precision.

One restriction in the Samsung Galaxy S6 is that it doesn’t provide a microSD slot, meaning that you’ll have to pay up-front for expensive onboard storage, and whatever you buy, you’re stuck with. Whereas, Samsung Galaxy S5 doesn't have such restriction.

Both Samsung Galaxy S5 and Galaxy S6 feature 16-megapixel rear cameras, but the Galaxy S6 offers a 5-megapixel front camera with more software improvements. Compare that to the 2-megapixel front-facing camera on the S5.

Samsung Galaxy S6 added a number of Samsung-specific features, including S Health 4.0 and Samsung Pay, which were not included in Samsung Galaxy S5.

The Samsung Galaxy S6 and the Samsung Galaxy S6 Edge will be available globally starting from April 10, 2015 and will be available in White Pearl, Black Sapphire, Gold Platinum, Blue Topaz (Galaxy S6 only) and Green Emerald (Galaxy S6 Edge only).

Hackers have already bypassed Apple's fingerprint scanner using fake fingerprints, and now they have found a way to reproduce your fingerprints by using just a couple of photos of your fingers.

Special Fingerprint sensors have already been used by Apple and Samsung in their smartphones for authentication purposes and in near future fingerprints sensors are believed to be the part of plenty of other locked devices that can be unlocked using fingerprints, just to add an extra layer of authentication. But, How secure are your fingerprints?

A member of Europe's oldest hacker collective, the Chaos Computer Club (CCC), claimed to have cloned a fingerprint of a Germany's federal minister of defense, Ursula von der Leyen, using pictures taken with a "standard photo camera" at a news conference.

At the 31st annual Chaos Computer Conference in Hamburg Germany this weekend, biometrics researcher Starbug, whose real name is Jan Krissler, explained that he used a close-up photo of Ms von der Leyen's thumb that was taken with a "standard photo camera" at a presentation in October -- standing nine feet (3 meters) away from the official. He also used several other pictures of her thumb taken at different angles.

Starbug then used a publicly available software program called VeriFinger with photos of the finger taken from different angles to recreate an accurate thumbprint. According to CCC, this software is good enough to fool fingerprint security systems.

"After this talk, politicians will presumably wear gloves when talking in public," Starbug told the audience at the Chaos Computer Conference (CCC) conference.

However, this is not the very first time when Chao Computer Club has targeted fingerprints. In past, the group has demonstrated how easily the Apple iPhone 5s can be unlocked using a fake fingerprint obtained from an individual who has touched a shiny surface, such as glass or a smartphone screen.

"This demonstrates—again—that fingerprint biometrics is unsuitable as [an] access control method and should be avoided," the group said at the time.

But this recent hack did not require any object 'carrying the fingerprints anymore,' which means that any person could potentially steal someone's fingerprint identity from photos posed on Facebook, Twitter or any social networking site.

This new finding by Starbug potentially calls into question the effectiveness of fingerprint scanners as a security measure. Fingerprints have been supported in the past as biometric identifiers, but because it can be easily reproduced, using fingerprints for security purposes raises questions.

The practical danger is low, because even after obtaining your fingerprint, the data thieves would still need to have your devices or otherwise find a way to sign in using your biometric information. But, the concern is more as the method require no technical skill to perform the fingerprint cloning.